deny ip mask (in server) & exclude for good users

Beer · Post by **Beer** » Mon Aug 30, 2004 1:17 pm

Help! Why banned ip mask with password (or etc) allow autenification for good users in this mask?
conf? modules? other?

#1 All Allow
allow {
ip *@*;
hostname *@*;
class clients;
maxperip 10;
};

^
I

#2 deny ip mask without correct password

???

{
ip *@217.118.*.*;
hostname *@*;
class clients;
reason "BAN IP or BAD PASSWORD!";
};

^
I

#3 Allow ip mask user with password
allow {
ip *[email protected].*.*;
hostname *@*;
class clients;
password "userpass_1";
maxperip 2;
};
...
^
I
...
allow {
ip *[email protected].*.*;
hostname *@*;
class clients;
password "userpass_N";
maxperip 2;
};

^
I
...

Ron2K · Post by **Ron2K** » Mon Aug 30, 2004 1:34 pm

Not sure what you mean, but it looks like you want people from a specific IP range to be prompted for a password on connect, while everyone else can get in without a password.

Quoted from the documentation:

Also the allow blocks are read upside down, so you need specific host/ip allow blocks AFTER your general *@* allow blocks.

So, simply put block #1 first in your config file, followed by block #3. (Get rid of block #2.) Then, what I think is your desired result should be achieved. People with IP 217.whatever-it-was.* will be prompted for a password. If they get it right, they connect; if not, they are rejected (thus making a deny IP block unneccessary). Anyone else (aka me

) will be able to connect without a password.

The lack of a question made it a tad tricky for me to know what you were trying to ask, but I seem to be getting good at working out these kinds of support questions.

Beer · Post by **Beer** » Tue Aug 31, 2004 6:45 am

===============================
#1 All Allow
allow {
ip *@*;
hostname *@*;
class clients;
maxperip 10;
};

#3 Allow ip mask user with password
allow {
ip *@80.92.15.*;
hostname *@*; # <-delete??? this ip mask no dns name!
class clients;
password "userpass";
maxperip 2;
};
============================
no working... no blocked without password...

user [email protected] connect with and without password...

Unreal3.2.1/Linux

Ron2K · Post by **Ron2K** » Tue Aug 31, 2004 7:17 am

Try removing allow::hostname and see what happens.

Dumb question, but you did remember to rehash, didn't you?

Beer · Post by **Beer** » Tue Aug 31, 2004 7:34 am

Dumb?

Sorry...

[31-11:29] -beer.metacom.ru- *** Notice -- error: unrealircd.conf:48: allow::hostname missing

We have come to a determination this problem?

Ron2K · Post by **Ron2K** » Tue Aug 31, 2004 8:42 am

OK, so that didn't work... dunno why your previous post wasn't working though. I'll run some tests when I get home tonight and see what I can come up with.

Beer · Post by **Beer** » Tue Aug 31, 2004 11:26 am

OK
This theme and variations discuss on russian forum devoted UnrealIRCD.
http://forum.juravlev.inc.ru/viewtopic. ... =2351#2351
No come to a determination...
Password connect possible only after delete Section#1...

ban ip {mask 80.92.15.*;reason "BAN or BAD NICK";};
except ban {mask *[email protected].*;};
Not effective method, from behind substitution Nick and ip.

My conf http://www.stepan-razin.ru/irc/unrealircd.conf

aquanight · Post by **aquanight** » Tue Aug 31, 2004 4:02 pm

Use ban user instead of ban ip.

Beer · Post by **Beer** » Thu Sep 02, 2004 5:12 am

Ron2K, why some progress? test fail?

Ron2K · Post by **Ron2K** » Thu Sep 02, 2004 5:59 am

Beer wrote:Ron2K, why some progress? test fail?

Forgot

(I've got a test this evening and a test tomorrow night, so you can understand why.)

Beer · Post by **Beer** » Thu Sep 09, 2004 5:12 am

Ron2K, why some progress? test fail or forgot?

AngryWolf · Post by **AngryWolf** » Thu Sep 09, 2004 8:58 am

Hi Beer,

Read unreal32docs.html -> 4.5 - Allow Block -> "About matching" carefully! Not only the part that Ron2k quoted earlier. That will tell you what to do to make your IP based authentication work. And deleting allow::hostname is a definitely bad idea, because that directive is required.

Ron2K · Post by **Ron2K** » Thu Sep 09, 2004 9:02 am

Beer wrote:Ron2K, why some progress? test fail or forgot?

Nope, I've got a crashbug

Beer · Post by **Beer** » Fri Sep 10, 2004 7:47 am

Working construction for users without DNS records.
Thanks ALL from http://bugs.unrealircd.org !!!

Beer! Beer! Beer!

Read conf bottom-up:
---
Step#1. User from 172.16.108.* with password is allow
log: *** Couldn't resolve your hostname; using your IP address instead
---
Step#2. All users this mask without valid password is denied
log: Closing Link: nick[ip] (Password mismatch)
---
Step#3. All other user is allow

unrealircd.conf
--
allow {
ip *@*;
hostname *@*;
class clients;
maxperip 50;
};

# Access denied for ip-mask
allow {
ip *@172.16.108.*;
hostname *@NOBODY;
class clients;
password "super-password-for-ip_mask";
maxperip 2;
};

# access allow
allow {
# dinamic ip
ip *@172.16.108.*;
# static ip
#ip *@172.16.108.34;
hostname *@NOBODY;
class clients;
password "password_Chester";
maxperip 2;
};
.....

ps: Hmmm... strangely enough

for 172.16.108.* working string-> hostname *@NOBODY;
for 80.92.15.* working sting only -> hostname *@INVALID; (with *@NOBODY not blocked)

Why?